IT professionals remain skeptical that regulatory compliance can improve data security, but PCI-DSS-compliant organizations experience fewer breaches, according to the Ponemon Institute.

PCI-compliant
organizations suffered fewer or no data breaches in 2009 and 2010 compared to
previous years, according to the latest Ponemon Institute report. Even so,
organizations still do not believe that implementing PCI-DSS
made them more secure.
More
than half, or 64 percent, of PCI-DSS
compliant organizations reported suffering no data breaches involving credit
card data over the past two years, according to the latest 2011 PCI DSS
Compliance Trends Study released April 19. In comparison, only 38 percent of
organizations which were not PCI-DSS
compliant reported no breaches in 2009 and 2010.

The
trend carried over to data breaches not limited to credit card theft, as well.
About the same number, or 63 percent, of compliant organizations did not experience
more than one incident over the same time period, compared to 22 percent of
non-compliant companies. The report also found that 26 percent of non-compliant
organizations reported more than five breaches over the same two years.

"Most
companies who make an effort to comply with the standards are likely to suffer
fewer breaches than those who don't, period," said Amichai Shulman,
co-founder and CTO of Imperva.
In
a survey of 670 United States and multinational IT security practitioners, the
Ponemon Institute examined how efforts to comply with the PCI-DSS
standard affected an organization's security. The report found that 88 percent
of surveyed security professionals did not agree that the PCI regulations had
any impact on the number of data breaches affecting the company. A little more
than one-third, or 39 percent, of the respondents considered improved data
security as one of the benefits of being PCI-compliant.
Even
more telling, only 33 percent of the respondents said that the costs of PCI-DSS
compliance was worth the value it brought to the organization. Companies don't
appear to have an accurate perception of the value of regulatory compliance,
especially considering the March report that pegged the average cost of data
breaches at $214 per compromised record, according to Larry Ponemon, chairman
and co-founder of the Ponemon Institute.
Despite
being cynical of the benefits, two-thirds of the survey participants reported
"substantial compliance" with PCI-DSS and
only 16 percent said they are not compliant at all. Only half the respondents
reported the same level of compliance while 25 percent hadn't adopted the
standards in the 2009 report.
PCI
and the accompanying PA-DSS compliance
regulations require all businesses that accept debit and credit card information
to implement certain safeguards to secure consumer data. Businesses who don't
comply can be forced to shut down. Unlike HIPAA and other regulations, PCI is
entirely industry-enforced.
The
Ponemon report seems to corroborate a similar finding in the 2011 Data Breach
Investigations Report released on the same day by Verizon Business, which found
cyber-criminals were stealing less credit card information. While there were
760 data breaches in 2010, the number of compromised records plunged, according
to Verizon.
The
Verizon report found that cyber-criminals were targeting smaller organizations
because they are less likely to have implemented basic security measures, or to
have done so incorrectly.
Verizon's
report also noted that stolen credit card information were not as valuable on
the black market as they have been in previous years, because there's a glut of
stolen consumer data. Most credit card numbers stolen in 2010 were likely
sudden opportunistic attacks to make some quick cash, Verizon said.